The onus is on the OSS consumer to ensure that OSS is “fit for use” in the consumer’s context, which requires: (1) the wherewithal to analyze the code effectively, and (2) insight into practices used by the authors to verify its trustworthiness. The Software Engineering Institute is working with Defense Acquisition programs to build and pilot a framework, OSS-P4/R, focusing on criteria associated with possible vulnerabilities that may impact the OSS component. This presentation will describe the selected criteria, and a method that has been piloted for establishing confidence in the trustworthiness of the OSS based on the assembled data.